New Trojan Malware “Shamoon” Overwrites Files, Infects MBR

Get some Popchips and have seat and read the newest info about a new MBR-infecting malware. Now, let’s keep in mind these won’t be new techniques, just a new name for an old technique.

According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network.

The second stage — which kicks off after the malware has done its dirty work — overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. via ComputerWorld

For the attacking process, it also allows the command-and-control server to be in effect from a second computer (huh?), in which the first computer originally communicated that data to. Which means, there is an alternative trojan being used on the second computer that accepts the data and communicates to the servers for the hackers privately.

We call this second computer a “master”. Which means it is the core computer used to send data to the server. This second computer can accepts data from multiple computers, not just one first computer (hope that makes sense). This is a similar method to the botmasters we see on the IRC networks. Very similar work done, except only automatic.

Shock is found that malware is crippling the computer, after the data is stolen. Normally, malware writers or hackers tend to just withdraw from a computer and no damage is done, except maybe one or two infected files. It is unknown at this point what the algorithm is to overwrite the files, but it is known that the MBR shall be infected in this process.

What does this malware like to overwrite though? Documents, pictures, videos, etc. It likes to kill personal, salvageable data. Sadly, even after removing the malware, your data cannot be recovered. It doesn’t hold it for ransom. It just overwrites it. Right now, it is also unknown whether or not it overwrites the files with malicious code that – when executed – will distribute more malware to the computer. That is… if the computer can be disinfected of the MBR infection first… and hopefully the operating system is accessed.

In the end, it’s just another malware to be removed!

Now, time for technical details:

Main files:

Reporting agent (keeps in touch with hacker) %systemroot%\system32\netinit.exe

Dropper (distributed malware on system) %systemroot%\system32\trksrv.exe

Kernel Mode Driver (clean driver used to gain root access, so MBR can be infected) %systemroot%\system32\drivers\drdisk.sys

File wiping module (literally wipes files on the system) %systemroot%\system32\[RANDOM_NAME].exe

Service information for trksrv.exe:

Display Name: Distributed Link Tracking Server

Service name: TrkSrv

File name: trksrv.exe

After done with its MBR deletion or modification methods, you may get one of few messages on system startup:

  • Operating System not found (75% of the time probably)
  • (Windows Advanced Options Menu Appears) Windows has failed to start… (10% of the time probably)
  • Blue Screen of Death (other 15% of the time probably)

The statistics in parentheses are only speculation. It is imagined that no matter what, system failure or unlikely to boot is caused by this malware. Beware!


Purchase Malwarebytes’ Anti-Malware to protect against the download and install of computer-controlling malware.

In addition, it is best to have a good data backup plan, in order to prevent damage due to malware like this. Please consider the following as a purchase of your next protection method:

Tags: , , , , , , ,

About Dr Jay


3 responses to “New Trojan Malware “Shamoon” Overwrites Files, Infects MBR”

  1. Eric Shupps says :

    Excellent post. Very helpful. Thanks for the info.

%d bloggers like this: